ATMs are a walk in the park for hackers

A hacker has been demonstrating how to make an ATM give you all the cash you want, just by tinkering with the PC inside.

According to AP, hacker Barnaby Jack spent two years tinkering in his Silicon Valley apartment with ATMs he bought online. These are not the machines you saw in bank branches, more those standalone machines in a corner store that charge you an arm and a leg and take a day to dole out a fiver.

Jack wanted to take control of ATMs by exploiting weaknesses in the computers that run the machines.

Speaking at the Black Hat conference yesterday he showed two ways he can get ATMs to spit out money, other than sticking his card in and tapping in his pin number.

Security flaw one is that the physical keys that came with his machines are the same for all ATMs of that type made by that manufacturer. Buy one machine and you have the keys to all the rest.

When you unloke the ATM you discover it has standard USB slots. You can inserted a program he had written into one of them and demand that the ATM turn into a slot machine pay out in Vegas.

He also hacked into ATMs by exploiting weaknesses in the way ATM makers communicate with the machines over the Internet.

Apparently there is a flaw which allows outsiders to bypass the need for a password. The remote style of attack is more dangerous because an attacker doesn’t need to open up the back of the ATMs.

The attack can be used to harvest account data from anyone who uses the machines.

Although he did his best to protect the name of the ATMs he turned over, the screen shots have the name Tranax Technologies all over them,

Another manufacturer Triton Systems who appears in one of the screen shots said Jack alerted the company to the problems and that Triton now has a software update in place that prevents unauthorized software from running on its ATMs.

Oddly, Bob Douglas, Triton’s vice president of engineering, said customers can buy ATMs with unique keys but generally don’t, preferring to have a master key for cost and convenience.

This is mostly because companies have several thousand ATMs and you want to access 20 or so of them in one day. It would be a logistical nightmare to have all the right keys at just the right place at just the right time, it seems.